An incident management system is a core component of the incident response process. Documentation and activity management allow the timely monitoring of each of the phases and facilitate decision making.
Fortunately, there are multiple incident management systems on the market, both open source and commercial, so you can make a diagnosis of the capabilities within the organization to then choose which is the best option.
TheHive is not just an incident ticketing system; this platform includes, among other things, case management capabilities, playbook integration, access to external intelligence sources through the tool known as Cortex, and support for MITRE ATT&CK, among other things.
In this chapter, you will learn how to use TheHive as an incident management system and we will cover the following topics:
In case you haven't already, you need to download and install VMware Workstation Player from this link https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html.
To access additional resources described in this chapter, you can visit the official GitHub repository of this book: https://github.com/PacktPublishing/Incident-Response-with-Threat-Intelligence.
You will need to download the Demo Virtual Machine with the latest versions of TheHive and Cortex by clicking on https://marketing.strangebee.com/thehive-cortex-demo-virtual-machine and completing the form with your information, as shown in the following screenshot:
Once you've finished the registration, you will receive an email with the link to download the virtual machine (VM).
Note
You can also download the VM used in this book from the book's VMs repository: https://github.com/PacktPublishing/Incident-Response-with-Threat-Intelligence.
To start using this virtual pre-installed version of TheHive, you need to import the downloaded .ova file using VMware Workstation Player by following these steps:
You might receive the following warning dialog box. If that's the case, just click the Retry button to continue with the importation process, as you can see in the following figure:
Note
This warning appeared because the file does not comply with the OVF specification; however, this won't have an impact on the normal operation of the VM.
You can connect to the TheHive dashboard from any browser to the IP address that appears on the virtual machine. You can configure different services and components of TheHive from the command line.
Now, let's review the architecture of TheHive and the functionalities of its components.
TheHive is a scalable and modular incident management platform that can be installed in a standalone or a cluster distributed environment. Before the installation in a production environment, is very important to define the architecture according to the capacity needs of your organization.
For this module, we will use a preinstalled version of TheHive in a VM to focus specifically on the functionality and capacities of the product. You can consult the project's documentation for installation and configuration at the following link: https://docs.thehive-project.org/thehive/.
The incident management platform is composed of three components:
The architecture of TheHive and Cortex is developed as follows:
The following figure shows the interaction between the different components of TheHive:
The hardware requirements of TheHive and its components will depend, among other things, on the volume of data that is required to be processed. It is recommended to perform a diagnosis to consider the variables of each environment.
The first thing you should do before using TheHive is to customize the settings of the VM. To do this, provide the credentials that are configured by default using the following steps:
You will see the following interface where you can connect to the platform using the predefined user account and passwords and review the documentation about how to use TheHive virtual machine.
Click on the link to open TheHive under the Quick connect section, as shown in the following screenshot:
The virtual machine comes with two organizations configured by default, admin and demo. The admin organization is prepared to configure the platform with special administrative privileges, while, on the other hand, the demo organization is preconfigured as an organization for testing purposes.
Click the Save button
You can create the users that will operate the server and assign them a specific profile:
Now, click the Save user button.
Once you've created the new user, it will appear on the Organization details panel.
There are more platform configurations that can be done here, but in this case, we will only make these changes for the time being.
Now that we have created a new organization and added a new user, it's time to work with incident response cases.
Incident response cases are the space where you can manage security incidents. Here, you can create cases in several ways:
In this part, we will cover the creation of new cases manually.
Log in to the main page of TheHive using the credentials of the new user created:
When starting the session, you will see the main panel with the list of added cases. In this case, none will appear because you have just created the organization, as shown in the following screenshot:
The scenario for our case is that the Security Operation Center SOC detected a new ransomware attack in one of the branches around the world. You will open a new case to start with the procedures related to this security incident.
To create a new case for this incident, follow these steps:
You will see the details of the new case created, as shown in the following screenshot:
Now that the case is created, the next step is to add the tasks or procedures based on the incident response plan or playbook related to ransomware incidents.
In this case, we will add a task related to the process to do the triage and collect artifacts of the compromised systems:
Click the green checkmark button to save the task:
You added a new task and assigned it to the user Investigator. This user will now be able to start working and documenting everything related to that activity.
To start working on this task, you need to do the following:
You will see the Tasks logs panel, where you can register the information related to this task.
Collecting memory dumps and forensic artifacts from the following computers:
HR-034-SP
AD-010-BA
RD-052-SP
MG-045-NY
You can add as many log entries as necessary and can add not just text; you can also add files and images when working on this task.
In the next part, you will learn how to create a case based on an incident response playbook.
TheHive allows you to create case templates based on incident response playbooks. In Chapter 9, Creating Incident Response Plans and Playbooks, we mentioned Austin Songer's project, https://github.com/austinsonger/Incident-Playbook, about creating incident response playbooks and how they can be mapped with the MITRE ATT&CK framework.
For our practical exercise, we will use the playbook related to ransomware incidents documented at https://github.com/austinsonger/Incident-Playbook/blob/main/Playbooks/MITRE-ATTACK/Impact/T1486-Data-Encrypted-for-Impact-Ransomware.md, assuming that the attack has already materialized, partially or totally.
Note
The best strategy is to identify and respond to attacks at an early stage, but in the same way, we must assume that in some cases, the attacker could evade our detection and protection systems. That's why it's important to create incident response playbooks for the different phases of an attack.
To create case templates based on incident response playbooks on TheHive, you must be signed in with org-admin privileges (you can see more details about roles and permissions here: https://docs.thehive-project.org/thehive/user-guides/organisation-managers/organisations-users-sharing/).
In this case, we will use one of the pre-configured users of TheHive virtual machine:
This is shown in the following figure:
Click on the Save template button. The complete information is shown in the following screenshot:
Once we've created the template, we will add the tasks that we previously created in the ransomware incident response playbook.
1.Find any related messages. Check:
- graphical user interfaces (GUIs) for the malware itself
- text or html files, sometimes opened automatically after encryption
- image files, often as wallpaper on infected systems
- contact emails in encrypted file extensions
- pop-ups after trying to open an encrypted file
- voice messages
2. Analyze the messages looking for clues to the ransomware type:
- ransomware name
- language, structure, phrases, artwork
- contact email
Click on the Add task button.
The complete information is shown in the following screenshot:
Once we've created the case template based on the incident response playbook, we can use it when creating a new case.
Let's use this template now by creating a new incident response case about a ransomware incident.
In the Create new Case dialog box, you will see the template recently created. If you do not see it, you can refresh the web page to clear the cache and load the new information.
In the Create a new case dialog box, you will see the information previously captured when you created the template, as well as the added tasks of the playbook. You can update or modify that information if necessary.
You can now manage the case, selecting and assigning tasks to the incident responders and collaborators.
Under this tab, you will see the list of tasks based on the ransomware template created previously. Here, you can edit, add, or delete tasks according to the context of this case or assign the activities as appropriate, as shown in the following screenshot:
The best practice is to create incident response playbooks, as you learned to do in Chapter 9, Creating Incident Response Plans and Playbooks, and then integrate them into incident management platforms to act quickly and efficiently the moment they occur.
In the next part, you will learn how to add indicators of compromise related to a particular incident.
When you are working on an incident, it's very important to include information about Indicators of Compromise (IoCs) or Indicators of Attack (IoAs) as they are found. Take these steps to do this:
This will open the Create new observable(s) window. Here you can add the details for any IoC found.
Fill in the fields with the following parameters:
Click the + Create observable(s) button.
This is a powerful feature of TheHive because you can use Cortex running different analyzers. We are going to review this in more detail in the following section, where we will cover the functionality of Cortex.
To get intelligence provided from Cortex, you just need to run the preconfigured analyzers. The analyzers are tools that connect to external sources of intelligence through APIs.
Navigate to the Observables section.
Now, wait a few moments for the analyzers to look for the information. The results will appear at the bottom of the observable in blue labels, as shown in the following screenshot:
If no matches are found with those indicators, you can try with other intelligence sources.
If this indicator was seen before, you will view the context details and know if it is related to a campaign or known malicious actors. In this case, this hash is related to a malware sample, so we will get more details about this threat.
On the Search result panel, you will see the name(s) of the file along with additional information, as shown in the following screenshot:
You will see additional information regarding this malware, for instance, the number of antivirus detections, IDS alerts, processes, HTTP events, contacted hosts, and DNS requests. Scroll down the web page to see the antivirus positives, as shown in the following screenshot:
As you can see, there are detections referencing the threat as belonging to the Sodinokibi Ransomware family. Additionally, you can also search other intelligence sources, such as VirusTotal (https://www.virustotal.com/) and VirusBay (https://www.virusbay.io/).
In a cybersecurity incident, you will find different IoCs, and in the same way as you did with the hash value, you can add observables and analyze them as URLs, IP addresses, filenames, or Windows Registry keys, among other things.
At this point, we have valuable information that will allow us to search for this IoC on other devices.
However, in a cybersecurity incident, the context is also very important. In Chapter 6, Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework, you became familiar with the MITRE ATT&CK framework. In the next part, you will learn how to document potential malicious behaviors (TTPs) in TheHive.
Another useful feature included in this version of TheHive is the integration with MITRE ATT&CK and the capability to add TTPs.
When you identify an IoA, you can directly map it with its corresponding technique/sub technique.
To add a new TTP, follow these steps:
Click on the Add TTP button.
At this point, you initiated a new security incident case and performed the following activities:
To view the dashboard with the key information about your cases, do the following:
You will see information as shown in the preceding screenshot:
You can customize this dashboard according to your preferences and needs if you log in as an organization administrator.
In the following section, you will learn in more detail how to configure the main functions of Cortex, the intelligence component of TheHive.
As was mentioned at the beginning of the chapter, Cortex is a powerful engine to analyze observables and get intelligence from external sources.
The integration of TheHive and Cortex allows you to get threat intelligence information from different sources without having to change to different platforms. As you learned in the previous part, you only need to register an observable and select the analyzers where the information will be searched.
Also, you can integrate Cortex with other threat intelligence platforms such as the Malware Information Sharing Project (MISP). The following diagram shows the way this integration can be done:
It is also possible to initiate cases in an automated way by receiving alerts from different sources such as SIEMs and emails. This feature will be seen in the next chapter.
One of the features that you can configure in Cortex is the analyzers. The steps to configure analyzers are as follows:
Here, you can filter the analysis by Data Types, Job Type, and Analyzers, search by Observable, and delete a specific job.
Under the Analyzer section, you will see the list of analyzers, and on the right, the option to enable or disable them.
It's important to mention that some analyzers will require an API key, so before you can enable them, you will need to provide the required information.
Note
You can integrate additional analyzers such as VirusTotal, DomainTools, or many others into TheHive. Read the documentation in this Cortex GitHub repository: https://github.com/TheHive-Project/CortexDocs.
In this chapter, you learned the importance of an incident response platform as a core component of incident response capabilities.
Also, you learned to set up an instance of the TheHive incident management platform and how to generate new cases, create and assign tasks to analysts, collect observables, and obtain external intelligence through Cortex.
At the time of writing this chapter, an important change had been announced for version 5 of TheHive's licensing model. The new version will no longer be under the AGPL v3 license (this does not apply to the Cortex intelligence tool), but there will be a Free Community version that will keep the main incident management capabilities. Version 4.4-1 will be supported until December 31, 2022.
As I mentioned earlier, and as part of my commitment to keeping the content current and up to date with the tools, I will include the changes applicable to the new version of this incident management platform within the additional material of this chapter available on GitHub.
In the next chapter, you will learn how to integrate multiple technologies to automatize incident response procedures.